valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 01:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9d394065e3
osquery-1/specs/process_events.table
Teddy Reed 2813d3ab87 Add a Linux audit event publisher
2015-09-03 08:45:02 -07:00

29 lines
1.6 KiB
Plaintext
Raw Blame History

table_name("process_events")
description("Track time/action process executions.")
schema([
Column("pid", BIGINT, "Process (or thread) ID"),
Column("path", TEXT, "Path of executed file"),
Column("mode", BIGINT, "File mode permissions"),
Column("cmdline", TEXT, "Command line arguments (argv)"),
Column("cmdline_size", BIGINT, "Actual size (bytes) of command line arguments"),
Column("environment", TEXT, "Environment variables delimited by spaces"),
Column("environment_count", BIGINT, "Number of environment variables"),
Column("environment_size", BIGINT, "Actual size (bytes) of environment list"),
Column("uid", BIGINT, "User ID at process start"),
Column("euid", BIGINT, "Effective user ID at process start"),
Column("gid", BIGINT, "Group ID at process start"),
Column("egid", BIGINT, "Effective group ID at process start"),
Column("owner_uid", BIGINT, "File owner user ID"),
Column("owner_gid", BIGINT, "File owner group ID"),
Column("create_time", BIGINT, "File creation in UNIX time"),
Column("access_time", BIGINT, "File last access in UNIX time"),
Column("modify_time", BIGINT, "File modification in UNIX time"),
Column("change_time", BIGINT, "File last metadata change in UNIX time"),
Column("overflows", TEXT, "List of structures that overflowed"),
Column("parent", BIGINT, "Process parent's PID"),
Column("time", BIGINT, "Time of execution in UNIX time"),
Column("uptime", BIGINT, "Time of execution in system uptime"),
])
attributes(event_subscriber=True)
implementation("process_events@process_events::genTable")
Reference in New Issue View Git Blame Copy Permalink